[IT-SecNots] [Security-news] Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-core-2021-010

Project: Drupal core [1]
Date: 2021-September-15
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass

CVE IDs: CVE-2020-13677
Description: 
Under some circumstances, the Drupal core JSON:API module does not properly
restrict access to certain content, which may result in unintended access
bypass.

Sites that do not have the JSON:API module enabled are not affected.

This advisory is not covered by Drupal Steward [3].

Solution: 
Install the latest version:

  * If you are using Drupal 9.2, update to Drupal 9.2.6 [4].
  * If you are using Drupal 9.1, update to Drupal 9.1.13 [5].
  * If you are using Drupal 8.9, update to Drupal 8.9.19 [6].

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x
are end-of-life and do not receive security coverage.

Drupal 7 core does not include the JSON:API module and therefore is not
affected.

Reported By: 
  * Brad Jones [7]

Fixed By: 
  * Brad Jones [8]
  * Jess  [9] of the Drupal Security Team
  * Björn Brala [10]
  * Gabe Sullice [11]
  * Mateu Aguiló Bosch [12]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.2.6
[5] https://www.drupal.org/project/drupal/releases/9.1.13
[6] https://www.drupal.org/project/drupal/releases/8.9.19
[7] https://www.drupal.org/user/405824
[8] https://www.drupal.org/user/405824
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/3366066
[11] https://www.drupal.org/user/2287430
[12] https://www.drupal.org/user/550110

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news